Canadian municipalities are “sitting ducks” for “cyber terrorists,” says the mayor of Stratford, Ont. — the latest Canadian community to find itself targeted by an online ransom attack.
Dan Mathieson said that if his fellow mayors across the country don’t start working together on the problem, more communities may be hit by online extortionists holding municipal data for ransom.
“We’re not the first and we definitely won’t be the last that will experience something like this,” Mathieson told CBC News from his city hall office.
“As long as we are holding information that is deemed to be valuable to attackers … the new terrorists of the century … I think we need to find a way to [co-operate].”
On April 14, cyber criminals hijacked part of the city’s computer servers, locking out some municipal employees. Stratford Police Chief Greg Skinner confirmed the incident was a ‘ransomware’ attack.
“They were holding hostage the data of the city, and they were demanding a ransom, or money, in return [for] the release of that information in the form of Bitcoin,” he said.
To pay or not to pay
Local police are leading the investigation, although they have reached out to the Ontario Provincial Police for specialized help.
But while it’s the job of law enforcement agencies to investigate ransomware attacks, the decision on whether to pay such ransom demands is completely up to the city and its insurance company.
“It my job is to deal with the investigation. It was the city’s responsibility to deal with all the demands of the attackers,” Skinner said.
“How the City of Stratford responded was in the best interests of the city of Stratford and the residents.”
Mathieson won’t say if Stratford has paid the ransom, or if it plans to.
“Right now, because of the process that’s underway, we’ve been asked by the police to limit the type of information we provide,” he said. “And until such time as they tell us it’s appropriate, we are going to continue to let them lead.”
CSE won’t tell attack targets how to respond
Scott Jones is the head of the Canadian Centre for Cyber Security at the Communications Security Establishment, the federal agency responsible for protecting Canada’s communications networks from attack. He said his office won’t give politicians or business leaders advice on whether to pay up to make a ransomware problem go away.
“The key action with paying a ransom is, you have to measure that against, ‘How do I get my business back up and running.’ And that’s an individual decision for an organization to work out internally and with its insurance company,” Jones told CBC News.
“And that’s really where working with insurance kicks in. It’s very important to work with your company in restoration.”
Online ransom attacks are a growing challenge, said Rick Orr of Orr Insurance, which acts as Stratford’s insurance broker.
“Cyber attacks, ransom attacks are becoming so prevalent,” he said. “The old adage of the two things you want to avoid … death and taxes … is becoming the three things: death, taxes and [a] cyber attack.
“When the city of Stratford was attacked … we put them in touch with their insurer’s crisis 800 number, and the insurer takes over working with them and providing a lot of advice and guidance throughout the process.”
Sensitive data wasn’t affected: mayor
Investigators are still trying to determine exactly which information was seized in the attack. Mathieson said he wants to reassure residents that sensitive personal financial data were not compromised.
“They didn’t involve payment information because the city has third parties that process payments. We were sure that they were looking at databases that contain city minutes of meetings, regular business transactions, e-mail flow, all those types of things,” the mayor said.
Stratford’s attack follows similar ransom demands made last year in two other Ontario municipalities: Wasaga Beach and Midland.
In 2016, the University of Calgary paid $20,000 to cyber criminals to regain access to its computer systems.
Because this problem isn’t going away, Mathieson said he wants to come up with a national strategy for municipalities to improve cyber security.
“There’s over two thousand municipalities in Canada … they hold a lot of sensitive information on individuals … on properties, on a lot of transactions. They’re very vulnerable,” Mathieson said.
“It’d be great actually if there was a national standard, a national association, where we could all fold in and under together and make sure that we had the best opportunity for all of us to protect this information.”
Mathieson will get that conversation started this fall, when Ontario municipalities meet for a cyber protection seminar. He said he wants other mayors to consider looking at housing their servers together in one place, pooling funds to hire the best online security experts, or coming up with an advisory board to guide municipalities on how to navigate these attacks.
“I think that’s where strength in numbers — putting us all together and finding a way to do it collectively — will allow us to have a best practice.”
Skinner said he supports the idea of a unified approach and suggested police could do more as well.
“There needs to be a higher level of coordination … with respect to these crimes,” Skinner said.
While Stratford Police are working with the OPP on this investigation, Skinner said that because these crimes have a “global scope…. there needs to be RCMP engagement at the national and international level, where the OPP would feed into their investigative expertise.”
Skinner said he also wants to see more training and resource funding for police agencies to help them investigate online crimes.
“We are all vulnerable. Municipalities, individuals, and public institutions, private business and law enforcement agencies are all vulnerable,” Skinner said.